The Commission noted that health apps collect sensitive health information, and therefore have a responsibility to protect it. This includes preventing unauthorized access to sensitive information. The Commission worries that these apps currently have very few privacy protections in place. Companies that fail to comply could face monetary penalties of up to $43,792 per violation per day.
Apps Must Comply with Health Breach Notification Rule
On Wednesday, September 15, the FTC issued a new policy statement stating that health apps must comply with the Health Breach Notification Rule. The Rule was originally issued in 2009, and requires vendors of personal health records and related entities to notify their customers when their data is breached or shared without their consent. It focuses primarily on fitness trackers and other health monitoring apps. These apps include those that track “diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other vital areas.” Additionally, the Commission says the rule applies to apps if they are “capable of drawing information from multiple sources, such as through a combination of consumer inputs and application programming interfaces (“APIs”).”
Users’ Sensitive Health Data is Susceptible to Breaches
Lina M. Khan, Chair of the FTC, worries that these apps do not invest in adequate privacy and data security measures. The Commission’s statement notes that health apps have significantly grown in popularity since 2009. However, they are also ripe targets for cybercriminals. Khan said that while the rule would bring a degree of accountability to their data collection practices, the commodification of sensitive health information presents a more fundamental problem. “Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk,” she added.
“Breaches” Not Limited to Cybersecurity or Malicious Hacks
In its statement, the Commission also said that a “breach” constitutes more than just cybersecurity intrusions. Apart from malicious acts from outside actors, it includes incidents of unauthorized access. This means that such apps cannot share their customers’ information with third parties without consent. This is important since many Americans use these apps to track fitness, sleep, diet, and overall health. The FTC also warned companies to enforce the Rule strictly. Companies in violation of the Rule will face civil penalties of $43,792 per violation per day. You may want to read about securing your privacy on popular mobile apps if you are concerned about how apps use your data.